diff --git a/server/PackageURL.js b/server/PackageURL.js index a1c2253..38e7b0b 100644 --- a/server/PackageURL.js +++ b/server/PackageURL.js @@ -3,37 +3,16 @@ const url = require('url') const URLFormat = /^\/((?:@[^\/@]+\/)?[^\/@]+)(?:@([^\/]+))?(\/.*)?$/ function decodeParam(param) { - if (param) { - try { - return decodeURIComponent(param) : '' - } catch (error) { - // Ignore param parsing errors. - } + try { + return decodeURIComponent(param) + } catch (error) { + return null } - - return null -} - -const ValidQueryKeys = { - main: true, - meta: true, - json: true -} - -function queryIsValid(query) { - return Object.keys(query).every(function (key) { - return ValidQueryKeys[key] - }) } function parsePackageURL(packageURL) { const { pathname, search, query } = url.parse(packageURL, true) - // Do not allow unrecognized query parameters because - // some people use them to bust the cache. - if (!queryIsValid(query)) - return null - const match = URLFormat.exec(pathname) if (match == null) diff --git a/server/middleware/parseURL.js b/server/middleware/parseURL.js index 18f7e59..07bebae 100644 --- a/server/middleware/parseURL.js +++ b/server/middleware/parseURL.js @@ -1,5 +1,17 @@ const PackageURL = require('../PackageURL') +const ValidQueryKeys = { + main: true, + meta: true, + json: true // deprecated +} + +function queryIsValid(query) { + return Object.keys(query).every(function (key) { + return ValidQueryKeys[key] + }) +} + /** * Parse and validate the URL. */ @@ -9,6 +21,11 @@ function parseURL(req, res, next) { if (url == null) return res.status(403).send(`Invalid URL: ${req.url}`) + // Do not allow unrecognized query parameters because + // some people use them to bust the cache. + if (!queryIsValid(url.query)) + return res.status(403).send(`Invalid query: ${JSON.stringify(url.query)}`) + req.packageName = url.packageName req.packageVersion = url.packageVersion req.packageSpec = `${req.packageName}@${req.packageVersion}`